PIX & POP3

[LittleFishy]

I am trying to set up POP3 mail for travelling sales men using Exchange 2003 & Cisco PIX 515. I entered/guessed the following entry into the PIX, which seems to have allowed me to download all of my mail to my home computer (using Outlook 2003), however when I try to send a email I just get an delivery failure. When I try to send to my Hotmail account for instance, I get told it failed to route through my server!

Current settings are:

access-list acl_out permit tcp any host 10.10.10.76 eq smtp
access-list acl_out permit tcp any host 10.10.10.75 eq www
access-list acl_out permit tcp any host 10.10.10.75 eq pop3

I sure it must be the lack of an inbound entry, but I not sure what.

Thanks for any help.

 

[horus42]

You need to allow incoming smtp traffic as well, the above rules are (I think) for outgoing traffic. Can anyone else send mail out through your server?

 

[LittleFishy]

All messages sent from users desktop work are fine and if a remote user uses either the Ciscon VPN or OWA it works. Its just that I thought POP3 would be better for travelling staff.

 

[horus42]

If I understand correctly, you want remote users to be able to download their emails using POP3 and send their emails via the same server, if that is the case these users will need SMTP access to the server as well as POP3, you also need to make sure emails can only be send by authenticated users otherwise your system will become "open relay "

Can you double check how you configured the mail clients smtp section, You also need to make sure that your server is not only allowing SMTP connections from certain IPs

I would actually take a different route, I would enable secure IMAP which would mean all of the users emails are on the server all the time, which should make backing up a lot more simpler and they would have access to their emails from anywhere, SSL would make sure that their connections are encrypted.

 

[LittleFishy]

Yes, that’s right, I just want sales staff to access there email, in hotels, airports etc and OWA just seems to be very temperamental. I need to check how I set them up to confirm their Outlook settings. Your idea sounds good, how would I set that up in the Exchange and the PIX.

 

[horus42]

I never used IMAP with exchange, but I'm sure there are tons of examples if you just do a quick search, after you configured exchange you just need to open up those ports on the PIX (secure IMAP uses 993)



Hope that helps.

 

[LittleFishy]

The version of PIX doesn't mention secure 993 only 143, which I assume is going to offer no more security. The server has relay restrictions setup for certain servers to relay, which is I guess why I get told I 'failed to route through my server'. If I remove those servers how do I keep the security the currently offer, but allow the access to users. Thanks.

 

[horus42]

The firewall wouldn’t mention the secure port until you create an access rule which allows that port, the rule would be something like “access-list 102 perm tcp any host x.x.x.x eq 993”

You need to configure the server so that it allows relaying to the authenticated users, which means before anyone can send email out they need to authenticate with the SMTP server, this is relatively simple as it would use the same IMAP/POP username and password for SMTP.


Hope that helps